What is a TXT Record?
A TXT (Text) record is a DNS record type that stores arbitrary text strings associated with a domain. Originally intended for human-readable notes, TXT records have become essential for machine-readable data like email authentication policies, domain ownership verification, and service-specific configurations.
Common TXT Record Uses
Email Authentication
SPF (Sender Policy Framework):example.com. IN TXT "v=spf1 include:_spf.google.com ~all"Specifies which servers can send email for your domain.
DKIM (DomainKeys Identified Mail):google._domainkey.example.com. IN TXT "v=DKIM1; k=rsa; p=MIGfMA0..."Contains the public key for email signature verification.
DMARC (Domain-based Message Authentication):_dmarc.example.com. IN TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"Defines email authentication policy and reporting.
Domain Verification
Google Search Console:example.com. IN TXT "google-site-verification=abc123..."example.com. IN TXT "MS=ms12345678"_dnsauth.example.com. IN TXT "validation-token-from-ca"Other Applications
Facebook Domain Verification:example.com. IN TXT "facebook-domain-verification=xyz789"_keybase.example.com. IN TXT "keybase-site-verification=..."_app.example.com. IN TXT "config=value123"TXT Record Format
Basic Syntax
name IN TXT "text content here"Multiple TXT Records
A domain can have multiple TXT records:
example.com. IN TXT "v=spf1 include:_spf.google.com ~all"
example.com. IN TXT "google-site-verification=abc123"
example.com. IN TXT "facebook-domain-verification=xyz789"
Long TXT Records
TXT record strings are limited to 255 characters per string, but multiple strings can be concatenated:
selector._domainkey.example.com. IN TXT (
"v=DKIM1; k=rsa; "
"p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA..."
"...long key continues..."
)
DNS clients automatically concatenate these strings.
Checking TXT Records
Using dig:dig example.com TXT
; ANSWER SECTION:
example.com. 300 IN TXT "v=spf1 include:_spf.google.com ~all"
dig _dmarc.example.com TXT
dig selector._domainkey.example.com TXT
curl "https://domscan.net/v1/health?domain=example.com"
# Returns hasTXT and email authentication status
TXT Record Best Practices
For Email Authentication
1. Always configure SPF, DKIM, and DMARC together
2. Use a single SPF record - multiple SPF records cause issues
3. Keep SPF lookups under 10 - exceeding causes failures
4. Test before deploying - use online validators
For Domain Verification
1. Don't remove verification TXT records - services may re-verify
2. Document what each TXT record is for - they can accumulate
3. Clean up unused records - remove records for services you no longer use
For Custom Applications
1. Use underscore prefixes (_app.example.com) to avoid conflicts
2. Document the format - future you will forget
3. Consider TTL - lower TTLs for frequently changed configs
Security Considerations
Information Disclosure
TXT records are public. Don't store sensitive information:
# Bad - exposes internal info
example.com. TXT "internal-api-key=secret123"
SPF Vulnerabilities
Overly permissive SPF records can enable email spoofing:
# Bad - allows anyone to send
example.com. TXT "v=spf1 +all"
# Good - restrictive
example.com. TXT "v=spf1 include:_spf.google.com -all"
Troubleshooting TXT Records
Multiple SPF Records: Only one SPF record per domain is valid. Merge multiple SPF policies into one. Truncated Records: If your TXT record appears cut off, ensure proper string quoting and concatenation. Propagation Delays: TXT record changes follow TTL-based propagation. Lower TTL before making changes to verification records.TXT records are the Swiss Army knife of DNS—versatile but requiring careful management as their usage grows.